Vulnerabilities (CVE)

Filtered by CWE-254
Total 407 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-1297 1 Google 1 Chrome 2025-04-12 7.5 HIGH N/A
The WebRequest API implementation in extensions/browser/api/web_request/web_request_api.cc in Google Chrome before 45.0.2454.85 does not properly consider a request's source before accepting the request, which allows remote attackers to bypass intended access restrictions via a crafted (1) app or (2) extension.
CVE-2015-3710 1 Apple 2 Iphone Os, Mac Os X 2025-04-12 4.3 MEDIUM N/A
Mail in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to trigger a refresh operation, and consequently cause a visit to an arbitrary web site, via a crafted HTML e-mail message.
CVE-2015-0599 1 Cisco 1 Unified Computing System 2025-04-12 4.3 MEDIUM N/A
The web interface in Cisco Integrated Management Controller in Cisco Unified Computing System (UCS) on C-Series Rack Servers does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCuf50138.
CVE-2016-0950 1 Adobe 1 Connect 2025-04-12 5.0 MEDIUM 5.3 MEDIUM
Adobe Connect before 9.5.2 allows remote attackers to spoof the user interface via unspecified vectors.
CVE-2016-2831 4 Canonical, Debian, Mozilla and 1 more 5 Ubuntu Linux, Debian Linux, Firefox and 2 more 2025-04-12 5.8 MEDIUM 8.8 HIGH
Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure that the user approves the fullscreen and pointerlock settings, which allows remote attackers to cause a denial of service (UI outage), or conduct clickjacking or spoofing attacks, via a crafted web site.
CVE-2016-3672 3 Canonical, Linux, Novell 9 Ubuntu Linux, Linux Kernel, Suse Linux Enterprise Desktop and 6 more 2025-04-12 4.6 MEDIUM 7.8 HIGH
The arch_pick_mmap_layout function in arch/x86/mm/mmap.c in the Linux kernel through 4.5.2 does not properly randomize the legacy base address, which makes it easier for local users to defeat the intended restrictions on the ADDR_NO_RANDOMIZE flag, and bypass the ASLR protection mechanism for a setuid or setgid program, by disabling stack-consumption resource limits.
CVE-2015-3658 1 Apple 3 Iphone Os, Mac Os X, Safari 2025-04-12 6.8 MEDIUM N/A
The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to bypass CSRF protection mechanisms via a crafted web site.
CVE-2015-1281 4 Debian, Google, Opensuse and 1 more 7 Debian Linux, Chrome, Opensuse and 4 more 2025-04-12 4.3 MEDIUM N/A
core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly determine the V8 context of a microtask, which allows remote attackers to bypass Content Security Policy (CSP) restrictions by providing an image from an unintended source.
CVE-2015-8804 3 Canonical, Nettle Project, Opensuse 4 Ubuntu Linux, Nettle, Leap and 1 more 2025-04-12 7.5 HIGH 9.8 CRITICAL
x86_64/ecc-384-modp.asm in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-384 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors.
CVE-2016-0287 2 Ibm, Microsoft 2 I Access, Windows 2025-04-12 2.1 LOW 7.8 HIGH
IBM i Access 7.1 on Windows allows local users to discover registry passwords via unspecified vectors.
CVE-2016-2929 1 Ibm 1 Bigfix Remote Control 2025-04-12 4.3 MEDIUM 8.1 HIGH
IBM BigFix Remote Control before 9.1.3 does not properly restrict password choices, which makes it easier for remote attackers to obtain access via a brute-force approach.
CVE-2016-1958 3 Mozilla, Opensuse, Oracle 3 Firefox, Opensuse, Linux 2025-04-12 4.3 MEDIUM 4.3 MEDIUM
browser/base/content/browser.js in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to spoof the address bar via a javascript: URL.
CVE-2015-4498 1 Mozilla 1 Firefox 2025-04-12 7.5 HIGH N/A
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point in the installation process.
CVE-2016-2833 3 Canonical, Mozilla, Opensuse 4 Ubuntu Linux, Firefox, Leap and 1 more 2025-04-12 4.3 MEDIUM 6.1 MEDIUM
Mozilla Firefox before 47.0 ignores Content Security Policy (CSP) directives for cross-domain Java applets, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted applet.
CVE-2016-5132 1 Google 1 Chrome 2025-04-12 6.8 MEDIUM 8.8 HIGH
The Service Workers subsystem in Google Chrome before 52.0.2743.82 does not properly implement the Secure Contexts specification during decisions about whether to control a subframe, which allows remote attackers to bypass the Same Origin Policy via an https IFRAME element inside an http IFRAME element.
CVE-2015-7044 1 Apple 1 Mac Os X 2025-04-12 7.6 HIGH N/A
The System Integrity Protection feature in Apple OS X before 10.11.2 mishandles union mounts, which allows attackers to execute arbitrary code in a privileged context via a crafted app with root privileges.
CVE-2015-3728 1 Apple 1 Iphone Os 2025-04-12 4.8 MEDIUM N/A
The WiFi Connectivity feature in Apple iOS before 8.4 allows remote Wi-Fi access points to trigger an automatic association, with an arbitrary security type, by operating with a recognized ESSID within an 802.11 network's coverage area.
CVE-2015-5857 1 Apple 1 Iphone Os 2025-04-12 5.0 MEDIUM N/A
Mail in Apple iOS before 9 allows remote attackers to use an address-book contact as a spoofed e-mail sender address via unspecified vectors.
CVE-2015-5178 1 Redhat 2 Jboss Enterprise Application Platform, Jboss Wildfly Application Server 2025-04-12 4.3 MEDIUM N/A
The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.
CVE-2016-1860 1 Apple 1 Mac Os X 2025-04-12 4.3 MEDIUM 3.3 LOW
Intel Graphics Driver in Apple OS X before 10.11.5 allows attackers to obtain sensitive kernel memory-layout information via a crafted app, a different vulnerability than CVE-2016-1862.